{ "id": "67b59314-9986-4804-a3d2-7f08dcaa6416", "created_at": "2026-04-06T00:10:07.92487Z", "updated_at": "2026-04-10T03:37:33.299011Z", "deleted_at": null, "sha1_hash": "3b8f3caabad90a6775663006cab55a3063678e79", "title": "UNC3524: Eye Spy on Your Email | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 407967, "plain_text": "UNC3524: Eye Spy on Your Email | Mandiant\r\nBy Mandiant\r\nPublished: 2022-05-02 · Archived: 2026-04-02 11:32:12 UTC\r\nWritten by: Doug Bienstock, Melissa Derr, Josh Madeley, Tyler McLellan, Chris Gardner\r\nUPDATE (November 2022):We have merged UNC3524 with APT29.The UNC3524 activity described in this post is now\r\nattributed to APT29.\r\nSince December 2019, Mandiant has observed advanced threat actors increase their investment in tools to facilitate bulk\r\nemail collection from victim environments, especially as it relates to their support of suspected espionage objectives. Email\r\nmessages and their attachments offer a rich source of information about an organization, stored in a centralized location for\r\nthreat actors to collect. Most email systems, whether on-premises or in the cloud, offer programmatic methods to search and\r\naccess email data across an entire organization, such as eDiscovery and the Graph API. Mandiant has observed threat actors\r\nuse these same tools to support their own collection requirements and to target the mailboxes of individuals in victim\r\norganizations.\r\nIn this blog post, we introduce UNC3524, a newly discovered suspected espionage threat actor that, to date, heavily targets\r\nthe emails of employees that focus on corporate development, mergers and acquisitions, and large corporate transactions. On\r\nthe surface, their targeting of individuals involved in corporate transactions suggests a financial motivation; however, their\r\nability to remain undetected for an order of magnitude longer than the average dwell time of 21 days in 2021, as reported in\r\nM-Trends 2022, suggests an espionage mandate. Part of the group’s success at achieving such a long dwell time can be\r\ncredited to their choice to install backdoors on appliances within victim environments that do not support security tools,\r\nsuch as anti-virus or endpoint protection. The high level of operational security, low malware footprint, adept evasive skills,\r\nand a large Internet of Things (IoT) device botnet set this group apart and emphasize the “advanced” in Advanced Persistent\r\nThreat. UNC3524 also takes persistence seriously. Each time a victim environment removed their access, the group wasted\r\nno time re-compromising the environment with a variety of mechanisms, immediately restarting their data theft campaign.\r\nWe are sharing the tools, tactics, and procedures used by UNC3524 to help organizations hunt for and protect against their\r\noperations.\r\nAttack Lifecycle\r\nInitial Compromise and Maintain Presence\r\nAfter gaining initial access by unknown means, UNC3524 deployed a novel backdoor tracked by Mandiant as QUIETEXIT,\r\nwhich is based on the open-source Dropbear SSH client-server software. For their long-haul remote access, UNC3524 opted\r\nto deploy QUIETEXIT on opaque network appliances within the victim environment; think backdoors on SAN arrays, load\r\nbalancers, and wireless access point controllers. These kinds of devices don’t support antivirus or endpoint detection and\r\nresponse tools (EDRs), subsequently leaving the underlying operating systems to vendors to manage. These appliances are\r\noften running older versions of BSD or CentOS and would require considerable planning to compile functional malware for\r\nthem. By targeting trusted systems within victim environments that do not support any type of security tooling, UNC3524\r\nwas able to remain undetected in victim environments for at least 18 months.\r\nQUIETEXIT works as if the traditional client-server roles in an SSH connection were reversed. Once the client, running on\r\na compromised system, establishes a TCP connection to a server, it performs the SSH server role. The QUIETEXIT\r\ncomponent running on the threat actor’s infrastructure initiates the SSH connection and sends a password. Once the\r\nbackdoor establishes a connection, the threat actor can use any of the options available to an SSH client, including proxying\r\ntraffic via SOCKS. QUIETEXIT has no persistence mechanism; however, we have observed UNC3524 install a run\r\ncommand (rc) as well as hijack legitimate application-specific startup scripts to enable the backdoor to execute on system\r\nstartup.\r\nhttps://www.mandiant.com/resources/blog/unc3524-eye-spy-email\r\nPage 1 of 8\n\nFigure 1: How QUIETEXIT works with IoT devices\r\nOn startup, QUIETEXIT attempts to change its name to cron, but the malware author did not implement this correctly, so it\r\nfails. During our incident response investigations, we recovered QUIETEXIT samples that were renamed to blend in with\r\nother legitimate files on the file system. In one case with an infected node of a NAS array, UNC3524 named the binary to\r\nblend in with a suite of scripts used to mount various filesystems to the NAS.\r\nWhen run with command line arguments -X -p ort the malware connects to a hard-coded command and control (C2)\r\naddress on the specific port. If this fails, it will attempt to connect to a second hard coded C2 if one is configured. The user\r\ncan also specify a hostname or IP address on the command line in the -p argument as well, e.g. -X -p ost:ort .The -X\r\ncommand line argument is case sensitive. If the lower-case x option is used, then the malware will only attempt to connect to\r\nthe C2 server once. If the upper-case X option is used, then the malware will sleep for a random number of minutes between\r\na hard-coded time range and fork to reattempt the connection. It re-attempts the connection regardless of whether a\r\nconnection has already been established. In our investigations we observed UNC3524 use C2 domains that intended to blend\r\nin with legitimate traffic originating from the infected appliances. Using the example of an infected load balancer, the C2\r\ndomains contained strings that could plausibly relate to the device vendor and branded operating system name. This level of\r\nplanning demonstrates that UNC3524 understands incident response processes and tried to make their C2 traffic appear as\r\nlegitimate to anyone that might scroll through DNS or session logs.\r\nAll QUIETEXIT C2 domains that Mandiant observed used Dynamic DNS providers. Dynamic DNS allows for threat actors\r\nto update the DNS records for domains in a near seamless fashion. When the C2s where inactive, the threat actor had the\r\ndomains resolve to 127.0.0.1. However, occasionally the port numbers would change or VPS infrastructure would be used\r\nrather than compromised camera botnet. We suspected that when the threat actor experienced issues accessing a victim, they\r\nwould troubleshoot using new infrastructure or different ports.\r\nIn some cases, the threat actor deployed a secondary backdoor as a means of alternate access into victim environments. This\r\nalternate access was a REGEORG web shell previously placed on a DMZ web server. REGEORG is a web shell that creates\r\na SOCKS proxy, keeping with UNC3524’s preference for tunneling malware. Once inside the victim environment, the threat\r\nactor spent time to identify web servers in the victim environment and ensure they found one that was Internet accessible\r\nbefore copying REGEORG to it. They also took care to name the file so that it blended in with the application running on\r\nthe compromised server. Mandiant also observed instances where UNC3542 used timestomping to alter the Standard\r\nInformation timestamps of the REGEORG web shell to match other files in the same directory.\r\nUNC3542 only used these web shells when their QUIETEXIT backdoors stopped functioning and only to re-establish\r\nQUIETEXIT on another system in the network. Rather than use the public version of REGEORG published by Sensepost,\r\nUNC3542 used a still public but little-known version of the web shell that is heavily obfuscated. This allowed them to\r\nbypass common signature-based detections for REGEORG.\r\nMove Laterally\r\nOnce UNC3524 established a foothold in the network they demonstrated a very low malware footprint and instead relied on\r\nbuilt-in Windows protocols. During our incident response investigations, we traced most accesses to a victim appliance\r\ninfected with QUIETEXIT. QUIETEXIT supports the full functionality of SSH, and our observation is consistent with\r\nUNC3524 using it to establish a SOCKS tunnel into the victim environments. By standing up a SOCKS tunnel, the threat\r\nactor effectively plugs in their machine to an ethernet jack within the victim’s network. By tunneling over SOCKS, the threat\r\nactor can execute tools to steal data from their own computer, leaving no traces of the tooling itself on victim computers.\r\nhttps://www.mandiant.com/resources/blog/unc3524-eye-spy-email\r\nPage 2 of 8\n\nFigure 2: Tunneling through QUIETEXIT\nTo perform lateral movement to systems of interest, UNC3524 used a customized version of Impacket’s WMIEXEC.\nWMIEXEC uses Windows Management Instrumentation to establish a semi-interactive shell on a remote host. The utility\nprovides a semi-interactive shell by writing command outputs to a file on the remote host and then printing the output to the\nterminal. The default Impacket version uses a hardcoded file path and filename structure for these output files, providing a\ndetection opportunity. Mandiant has observed UNC3524 modifying the hardcoded file path\n(\\\\127.0.0.1\\ADMIN$\\debug\\DEBUG.LOG) to evade basic detections for filenames such as Impacket’s default double\nunderscore files. We also observed the threat actor using the built-in reg save command to save registry hives and extract\nLSA secrets offline.\nComplete Mission\nOnce UNC3524 successfully obtained privileged credentials to the victim’s mail environment, they began making Exchange\nWeb Services (EWS) API requests to either the on-premises Microsoft Exchange or Microsoft 365 Exchange Online\nenvironment. In each of the UNC3524 victim environments, the threat actor would target a subset of mailboxes, focusing\ntheir attention on executive teams and employees that work in corporate development, mergers and acquisitions, or IT\nsecurity staff. It’s likely that the threat actor was targeting the IT security team as a method to determine if their operation\nhad been detected.\nThe methods that UNC3524 used to authenticate to the Exchange infrastructure evolved throughout the course of the\nintrusions; this may be a result of them periodically losing access due to the natural changes in corporate infrastructure or\nsimply updating their tactics. They authenticated to Exchange using the username and password of targeted accounts, using\naccounts holding ApplicationImpersonation rights, or using Service Principal credentials. Each of these methods, their\ndetections, and configuration recommendations can be found at Mandiant's UNC2452 Microsoft 365 Hardening Guide.\nOnce authenticated to the exchange infrastructure, UNC3524 made a series of EWS API requests to extract mail items from\nthe target mailbox. For each mailbox, the threat actor made a series of GetFolder and FindFolder requests that returned\ndata describing the mailbox, such as the number of unread messages and sub-folders within the specified folder.\n?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\ntarget@victimorg.comDefault https://www.mandiant.com/resources/blog/unc3524-eye-spy-email\nPage 3 of 8\n\nFigure 3: Sample EWS GetFolder request\nAfter the enumeration of the mailbox structure, the threat actor issued a FindItem request with a Query Filter that selected\nall messages from a specific folder with a DateTimeCreated greater than a specific date. The date in the filter corresponded\nto the last time the threat actor accessed the mailbox. This meant that the threat actor would acquire all newly created items\nin the mailbox since the last time they had extracted data. This follows an approach that Mandiant has previously observed\nwith APT29. Rather than target a mailbox using specific keywords, the threat actor instead extracted the entire contents over\na particular date range.\n?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\ntarget@victimorg.comIdOnly Figure 4: Sample EWS FindItem request\nFinally, the threat actor iterated through each message identifier returned in the FindItem response and made a GetItem\nrequest. The threat actor set the IncludeMimeContent parameter to true for the request, which resulted in Exchange\nreturning the message in MIME format. This is important because the MIME message includes both the message body and\nany attachments. It is worth noting that if the messages were encrypted using PGP, SMIME, Office 365 Message Encryption\n(OME), or other encryption technology, then the GetItem response will only contain the ciphertext or in the case of OME,\na link to authenticate and view the real message.\n?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\n\nxmlns:t=\"https://schemas.microsoft.com/exchange/services/2006/types\"\u003e Defaulttrue Figure 5: Sample EWS GetItem request\nOperational Security and Infrastructure\nThroughout their operations, the threat actor demonstrated sophisticated operational security that we see only a small\nnumber of threat actors demonstrate. The threat actor evaded detection by operating from devices in the victim\nenvironment’s blind spots, including servers running uncommon versions of Linux and network appliances running opaque\nOSes. These devices and appliances were running versions of operating systems that were unsupported by agent-based\nsecurity tools, and often had an expected level of network traffic that allowed the attackers to blend in. The threat actor’s use\nof the QUIETEXIT tunneler allowed them to largely live off the land, without the need to bring in additional tools, further\nreducing the opportunity for detection. This allowed UNC3524 to remain undetected in victim environments for, in some\ncases, upwards of 18 months.\nThe C2 systems that Mandiant identified were primarily legacy conference room camera systems sold by LifeSize, Inc. and\nin one instance, a D-Link IP camera. These camera systems appeared to be infected, likely with the server component of\nQUIETEXIT. These cameras were directly Internet exposed, possibly through an improper UPnP configuration, and may\nhave been running older firmware. Mandiant suspects that default credentials, rather than an exploit, were the likely\nmechanism used to compromise these devices and form the IoT botnet used by UNC3524. Similar to the use of embedded\nnetwork devices, UNC3524 can avoid detection by operating from compromised infrastructure connected directly to the\npublic Internet such as IP cameras where typical antivirus and security monitoring may be absent.\nDetection\nUNC3524’s use of compromised appliances makes host-based hunting and detection extremely difficult. The best\nopportunity for detection remains in network-based logging, specifically monitoring traffic at the layer 7 level. Mandiant\nrecommends hunting for traffic tagged as the “SSH” application egressing environments over ports other than 22. This\ntraffic should be relatively small, and any findings should be investigated. Organizations can also look for outbound SSH\ntraffic originating from IP addresses that are unknown or not in asset management systems. These source systems are more\nlikely to be appliances that aren’t centrally managed. Finally, large volumes of network traffic originating from the\n“management” interfaces of appliances such as NAS arrays and load balancers should be investigated as suspicious as well.\nUNC3524 targets opaque network appliances because they are often the most unsecure and unmonitored systems in a victim\nenvironment. Organizations should take steps to inventory their devices that are on the network and do not support\nmonitoring tools. Each device likely has vendor-specific hardening actions to take to ensure that the proper logging is\nenabled, and logs are forwarded to a central repository. Organizations can also take steps to use network access controls to\nlimit or completely restrict egress traffic from these devices.\nFor host-based hunting, Mandiant recommends hunting for QUIETEXIT on devices using the provided grep commands.\nMost appliances that provide shell access should have the grep binary available.\nFind QUIETEXIT hard-coded byte string using grep:\nFind QUIETEXIT hard-coded byte string using grep:\nFind QUIETEXIT by looking for the hard-coded password value:\ngrep\n'\\xDD\\xE5\\xD5\\x97\\x20\\x53\\x27\\xBF\\xF0\\xA2\\xBA\\xCD\\x96\\x35\\x9A\\xAD\\x1C\\x75\\xEB\\x47'\n-rs /\nFind QUIETEXIT persistence mechanisms in the appliance’s rc.local directory by looking for the command line arguments:\nhttps://www.mandiant.com/resources/blog/unc3524-eye-spy-email\nPage 5 of 8\n\ngrep -e \" -[Xx] -p [[:digit:]{2,6}]\" -rs /etc\r\nRemediation and Hardening\r\nMandiant has published remediation and hardening strategies for Microsoft 365.\r\nAttribution\r\nThe methodologies Mandiant observed during UNC3524 intrusions overlapped with techniques used by multiple Russia-based espionage threat actors including both EWS impersonation and SPN credential addition. Mandiant has only observed\r\nAPT29 performing SPN credential addition; however, this technique has been reported on publicly since early 2019. The\r\nNSA has previously reported automated password spraying using Kubernetes, Exchange Exploitation, and REGEORG as\r\nassociated with APT28. While the activity reported by the NSA used TOR and commercial VPNs, UNC3524 primarily used\r\ncompromised internet facing devices. One interesting aspect of UNC3524’s use of REGEORG was that it matched\r\nidentically with the version publicly reported by the NSA as used by APT28. At the time of writing, Mandiant cannot\r\nconclusively link UNC3524 to an existing group currently tracked by Mandiant.\r\nAcknowledgements\r\nWe would like to thank our incident response consultants, Managed Defense responders, and FLARE reverse engineers who\r\nenabled this research.Thanks to Kirstie Failey, Jake Nicastro, John Wolfram, Sarah Hawley and Nick Richard for technical\r\nreview, and Ryan Hall and Alyssa Rahman for research contributions.\r\nMITRE ATT\u0026CK\r\nMandiant has observed UNC3524 use the following techniques.\r\nATT\u0026CK Tactic Category Techniques\r\nDefense Evasion T1027: Obfuscated Files or Information\r\nDiscovery\r\nT1012: Query Registry\r\nT1016: System Network Configuration Discovery\r\nT1049: System Network Connections Discovery\r\nT1057: Process Discovery\r\nT1518: Software Discovery\r\nCredential Access\r\nT1003.004: LSA Secrets\r\nT1003.006: DCSync\r\nT1111: Two-Factor Authentication Interception\r\nCollection\r\nT1114: Email Collection\r\nT1114.002: Remote Email Collection\r\nLateral Movement T1021.004: SSH\r\nPersistence\r\nT1037.004: RC Scripts\r\nT1098.001: Additional Cloud Credentials\r\nT1505.003: Web Shell\r\nCommand and Control\r\nT1071: Application Layer Protocol\r\nT1090.003: Multi-hop Proxy\r\nT1095: Non-Application Layer Protocol\r\nT1572: Protocol Tunneling\r\nhttps://www.mandiant.com/resources/blog/unc3524-eye-spy-email\r\nPage 6 of 8\n\nT1573.002: Asymmetric Cryptography\r\nResource Development\r\nT1583.003: Virtual Private Server\r\nT1584: Compromise Infrastructure\r\nT1608.003: Install Digital Certificate\r\nExecution\r\nT1059.001: PowerShell\r\nT1059.003: Windows Command Shell\r\nYARA Signatures\r\nNote: These rules are designed to broadly capture suspicious files and are not designed to detect a particular malware or\r\nthreat.\r\nrule QUIETEXIT_strings\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n date_created = \"2022-01-13\"\r\n date_modified = \"2022-01-13\"\r\n rev = 1\r\n strings:\r\n $s1 = \"auth-agent@openssh.com\"\r\n $s2 = \"auth-%.8x-%d\"\r\n $s3 = \"Child connection from %s:%s\"\r\n $s4 = \"Compiled without normal mode, can't run without -i\"\r\n $s5 = \"cancel-tcpip-forward\"\r\n $s6 = \"dropbear_prng\"\r\n $s7 = \"cron\"\r\n condition:\r\n uint32be(0) == 0x7F454C46 and filesize \u003c 2MB and all of them\r\n}\r\nrule REGEORG_Tuneller_generic\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n date_created = \"2021-12-20\"\r\n date_modified = \"2021-12-20\"\r\n md5 = \"ba22992ce835dadcd06bff4ab7b162f9\"\r\n strings:\r\n $s1 = \"System.Net.IPEndPoint\"\r\n $s2 = \"Response.AddHeader\"\r\n $s3 = \"Request.InputStream.Read\"\r\n $s4 = \"Request.Headers.Get\"\r\n $s5 = \"Response.Write\"\r\n $s6 = \"System.Buffer.BlockCopy\"\r\n $s7 = \"Response.BinaryWrite\"\r\n $s8 = \"SocketException soex\"\r\n condition:\r\n filesize \u003c 1MB and 7 of them\r\n}\r\nrule UNC3524_sha1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n date_created = \"2022-01-19\"\r\n date_modified = \"2022-01-19\"\r\n strings:\r\n $h1 = { DD E5 D5 97 20 53 27 BF F0 A2 BA CD 96 35 9A AD 1C 75 EB 47 }\r\n condition:\r\nhttps://www.mandiant.com/resources/blog/unc3524-eye-spy-email\r\nPage 7 of 8\n\nuint32be(0) == 0x7F454C46 and filesize \u003c 10MB and all of them\r\n}\r\nIndicators\r\nMALWARE FAMILY Indicator\r\nQUIETEXIT Dynamic DNS\r\ncloudns.asia\r\ndynu.net\r\nmywire.org\r\nwebredirect.org\r\nMALWARE\r\nFAMILY\r\nMD5 SHA1 SHA256\r\nREGEORG\r\nGitHub\r\nversion\r\nba22992ce835dadcd06bff4ab7b162f9 3d4dcc859c6ca7e5b36483ad84c9ceef34973f9a 7b5e3c1c06d82b3e7309C258dfbd4bfcd47\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/blog/unc3524-eye-spy-email\r\nhttps://www.mandiant.com/resources/blog/unc3524-eye-spy-email\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "references": [ "https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" ], "report_names": [ "unc3524-eye-spy-email" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "94890f31-3a6c-447b-8995-5c5958efea28", "created_at": "2023-01-06T13:46:39.352776Z", "updated_at": "2026-04-10T02:00:03.29716Z", "deleted_at": null, "main_name": "UNC3524", "aliases": [], "source_name": "MISPGALAXY:UNC3524", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ff183540-67fb-4514-bd30-b4a264795901", "created_at": "2022-10-25T16:07:24.367762Z", "updated_at": "2026-04-10T02:00:04.956814Z", "deleted_at": null, "main_name": "UNC3524", "aliases": [], "source_name": "ETDA:UNC3524", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434207, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3b8f3caabad90a6775663006cab55a3063678e79.pdf", "text": "https://archive.orkl.eu/3b8f3caabad90a6775663006cab55a3063678e79.txt", "img": "https://archive.orkl.eu/3b8f3caabad90a6775663006cab55a3063678e79.jpg" } }